The British Department of Health recommends that its National Health Service staff stop using Internet Explorer 6 without a necessary security patch. The British move is part of a general concern in Europe about Internet Explorer security following a wave of attacks against Google and other companies carried out by exploiting an invalid pointer reference. Germany and France have also advised their citizens to stop using unpatched versions of Internet Explorer. Windows 7 includes IE 8, the latest version of the Web browser.
The British Department of Health has issued a bulletin to its National
Health Service staff recommending that they stop using Internet Explorer 6
until the necessary security patch can be downloaded, as part of a wider European
pullback from the browser due to security concerns. Following news in January that a zero-day bug in Internet Explorer had been
exploited in intensive attacks against Google and other companies, both France
and Germany advised their citizens to stop using Internet Explorer until a
patch could be issued. Those attacks allegedly originated from China,
leading Google to threaten to cease operations in that country.
The British Department of Health's bulletin advised any organizations
continuing to use Internet Explorer 6 to download the necessary security update
patch. Otherwise, it added, the vulnerability "could allow an attacker to
download and install further malware [and] spyware on the computer, add user
accounts to the computer, steal sensitive data held locally and centrally, and
so forth." While the attacks against Google and other companies had been
executed via Internet Explorer 6 running on Windows 2000 and Windows XP,
"work is ongoing to leverage the exploit code so that it works
successfully on other versions of Internet Explorer on other Windows
Furthermore, the bulletin added, "If an organization has systems
compromised via this vulnerability, there may be consequential reputational
damage, especially if sensitive data is affected or the compromised system is
used to attack other systems."According to Microsoft, the vulnerability in question centers on an invalid
pointer reference, which can be accessed after an object is deleted; more
information can be found in a Microsoft
security bulletin. The company is also urging users of Internet Explorer 6
to upgrade to Version 8, the most recent edition, and to set their Internet and
local intranet security zones to "high" so as to prompt before
running ActiveX controls and active scripting in these zones. "Microsoft has consistently recommended that consumers upgrade to the
latest version of our browser," a Microsoft spokesperson told eWEEK.
"Internet Explorer 8 offers improvements in speed, security and
reliability as well as new features designed for the way people use the
Web." Representatives of the British government have suggested that no browser is
necessarily safe for very long. "Complex software will always have vulnerabilities and motivated
adversaries will always work to discover and take advantage of them," Lord
West of Spithead said during a discussion
in the House of Lords about public-sector use of Internet Explorer 6.
"There is no evidence that moving from the latest fully patched versions
of [Internet] Explorer to other browsers will make things more secure. Regular
software patching and updating will help defend against the latest
Nicholas Kolakowski is a staff editor at eWEEK, covering Microsoft and other companies in the enterprise space, as well as evolving technology such as tablet PCs. His work has appeared in The Washington Post, Playboy, WebMD, AARP the Magazine, AutoWeek, Washington City Paper, Trader Monthly, and Private Air. He lives in Brooklyn, New York.